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\0 [ Abstract 

We give new improvements to the Chudnovsky-Chudnovsky method 
that provides upper bounds on the bilinear complexity of multiplication in 
CJ ■ extensions of finite fields through interpolation on algebraic curves. Our 

r ) , approach features three independent key ingredients: 

jyj I • We allow asymmetry in the interpolation procedure. This allows to 

O ■ prove, via the usual cardinality argument, the existence of auxiliary 

divisors needed for the bounds, up to optimal degree. 

l/^ ■ • We give an alternative proof for the existence of these auxiliary di- 

^ I visors, which is constructive, and works also in the symmetric case, 

^*G ■ although it requires the curves to have sufficiently many points. 

cn ■ 

-^ , • We allow the method to deal not only with extensions of finite fields, 

(^ • but more generally with monogenous algebras over finite fields. This 

leads to sharper bounds, and is designed also to combine well with 
base field descent arguments in case the curves do not have suffi- 
ciently many points. 

As a main application of these techniques, we fix errors in, improve, and 
generalize, previous works of Shparlinski-Tsfasman-Vladut, Ballet, and 
Cenk-Ozbudak. Besides, generalities on interpolation systems, as well as 
ji^ ■ on symmetric and asymmetric bilinear complexity, are also discussed. 
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Introduction 

The bilinear complexity ^{A/ K) of a finite-dimensional algebra A over a field 
K measures the essential minimal number of two-variable multiplications in K 
needed to perform a multiplication in A^ and considering other operations, such 
as multiplication by a constant, as having no cost. More intrinsically, it can be 
defined as the rank of the tensor in 

A^A^'^A"' (1) 

naturally deduced from the multiplication map in A. 

The study of ii{A/K), and the effective derivation of multiplication algo- 
rithms, are of both theoretical and practical importance. Pioneering works in 
this field are Karatsuba's algorithm [53] for integer and polynomial multiplica- 
tion, and Strassen's algorithm [33] for matrix multiplication. 

There are (at least) two ways in which these questions could be addressed 
from an algebraic geometry point of view. These two approaches are seemingly 
unrelated, although, to the author's knowledge, possible links between the two 
have never been seriously studied (nor will they be here) . The first one is to con- 
sider tensors of rank f as defining points of a certain Segre variety, and tensors 
of higher rank, points of its successive secant varieties. This leads to deep and 
beautiful problems ^35i i24j . but we will not be interested in this approach here. 
The second one is through the theory of interpolation. Karatsuba's algorithm 
may be interpreted as follows: evaluate the polynomials at the points 0, 1, oo of 
the projective line, multiply these values locally, and interpolate the results to 
reconstruct the product polynomial. Replacing the line with algebraic curves of 
higher genus allowed Chudnovsky and Chudnovsky in [17] to first prove that the 
bilinear complexity of multiplication in certain extensions of finite fields grows 
at most linearly with the degree. For example, letting fJ-q{n) = ji{¥ gn /¥ q) , their 
result implies 

liminf-/i,(n) < 2 ( 1 + ^ — -) (2) 
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for q > 25 a square. 



Several improvements and variants of the Chudnovsky- Chudnovsky algo- 
rithm were then proposed by various authors in order to give sharper or more 
general asymptotic, as well as non-asymptotic, upper bounds. Roughly speak- 
ing, they all rely on the following three ingredients: 

a) A "generic" interpolation process which explains how to derive these upper 
bounds from the existence, postulated a priori, of certain geometric objects. 
These objects are: 

b) Algebraic curves having "good" parameters, meaning, most of the time, that 
they have sufficiently many points of various degrees, and controlled genus. 

c) Divisors on these curves, such that certain evaluation maps associated to 
them are injective or surjective. Often this can be reformulated as requiring 



the existence of systems of simultaneously zero-dimensional or non-special 
divisors of a certain form and appropriate degree. 

These three points are important. However remark that a well-designed algo- 
rithm in a) should make the existence of the objects b) and c) it needs easier 
to check. In this paper we will give new contributions to a), and also to c), 
and then proceed to some direct, but hopefully already significant, applications 
(further applications could be given, but they require combination with quite 
different methods, so they will be treated elsewhere). 

Our main technical results are Theorems 13.51 and 15.21 below. 
Theorem 13.51 is our main contribution to a) . There we present a generaliza- 
tion of the Chudnovsky-Chudnovsky algorithm that has two new features: 

• We allow interpolation at arbitrary closed subschemes of the curve in a 
uniform way. The original method of Chudnovsky-Chudnovsky used only 
points of degree 1, with multiplicity 1. Variants introduced by Ballet- 
RoUand and Arnaud allowed interpolation at points of higher degree, or 
with higher multiplicity. These improvements were combined and further 
generalized by Cenk-Ozbudak in [14!. However, somehow, Cenk-Ozbudak 
still deal with degree m and multiplicity / separately since they use two 
parameters, fJ-q{m) and Mq{l), for them. Here we introduce a new quantity, 

Hq{m,l), (3) 

the bilinear complexity of the algebra Fgm[i]/(t') over F^, to deal with 
both at the same time. This leads ultimately to improved bounds and 
is especially useful when combined, for example, with descent arguments, 
such as the ones used in [Zllll [5] . Another indication of the naturality of 
our approach is that these /Xq(m, /) can be made to appear on both sides of 
our inequalities. This means, not only do we have upper bounds in terms 
of these ^q{m, I), but at the same time we can also derive upper bounds 
on them. 

• We allow asymmetry when lifting the elements to be multiplied, even if the 
multiplication law is commutative (as is permitted by the very definition 
of bilinear complexity) . This has dramatic consequences for applications 
since it makes the existence of the divisors mentioned in c) above much 
easier to prove. Technically speaking, classical "symmetric" variants of the 
Chudnovsy-Chudnovsky algorithm (starting from the original) suppose 
given two effective divisors G and G" and ask for the existence of an 
auxiliary divisor D such that: 

- D — G' is non-special / ,1. 

- 2D — G is zero-dimensional. 

In our asymmetric version, we ask for two divisors Di,D2 such that: 

- Di — G' and D2 — G' are non-special /^.x 

- Di + D2 — G is zero-dimensional. 



As explained below, this small change allows us at once to fill a gap in the 
proof of bounds claimed by Shparlinski-Tsfasman-Vladut [31] and Ballet 

mil. 

Then Theorem 15.21 combines Theorem 13.51 with general existence results for 
divisors as asked above, leading to bounds that depend only on the number 
of points of the curve, in a somehow optimal way. To be more precise, while 
all divisors of negative degree are zero-dimensional (and likewise all divisors of 
degree more than 2g — 1 are non-special), for the bounds on the complexity to 
be as sharp as possible, one needs the divisors involved to be of degree as near 
to (7 — 1 as possible. 

Shparlinski-Tsfasman-Vladut, and later also Ballet, claimed they were able 
to solve system Q up to degree g — 1 (or at least, asymptotically in [3T], while 
exactly in [Ij). For this they use a cardinality argument. They consider the 
map that sends the linear equivalence class [D] to the class [2D — G], and 
from this, deduce that the number of linear equivalence classes of D such that 
2D — G is not zero-dimensional is not more than the number of effective divisors 
of the corresponding degree. However this inference is incorrect, because the 
map [D] I— >■ [2D — G] is not injective. Taking this non-injectivity into account 
multiplies their bound by the 2-torsion order of the class group, which ruins the 
argument. 

This error was first mentioned in a preprint of Cascudo-Cramer-Xing, al- 
though this discussion was removed from the final version of their paper. How- 
ever it can still be found in Cascudo's PhD dissertation [TT], Chap. 12. 

On the other hand, our new asymmetric system ^ is much easier to solve. 
Indeed, the divisors Di and D2 can then be constructed one at a time, there 
is no multiplication-by-2 map in the class group involved, and the cardinality 
argument works smoothly. This allows us, under very mild assumptions, to 
solve system ([S]) up to degree exactly <? — 1, which is optimal, and ultimately, 
to complete the proof of the bounds claimed in [U [5J |3I] (except for one, where 
there is another error, discussed in the text). These repaired bounds now form 
our Corollary 15.41 and Theorems 16.31 and 16.41 For example, ^ can now be 
replaced safely with the new estimate (first claimed in |31| ) 

limsup i/ig('^) < 2 U + -7^) (6) 
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n 



for q > 9 a, square. 

A small drawback of this cardinality argument, already mentioned in j31| . 
is its non-constructiveness. Also, for some applications, it might appear un- 
satisfactory to get only asymmetric multiplication algorithms for an algebra 
in which the multiplication law is commutative. So we propose an alternative 
method, more constructive, that solves system ([5]), as well as the original sym- 
metric system Q, also up to degree exactly g — 1, although only under more 
restrictive assumptions. This alternative construction, that relies on the theory 
of Weierstrass gap and order sequences, is a straightforward adaptation of a 



method previously developed by the author in another context [55] . In doing so 
we are also led to stress the distinction between the usual bilinear complexity, 
and a more restricted notion of symmetric bilinear complexity. For example, 
our symmetric variant of ^ yields 

hm sup i^i^y- in) < 2 f 1 + — ^) (7) 

for q > 49 a square (note the stronger restriction on q). 



Besides these two main Theorems l3.5l and l5.2l and their applications in Corol- 
lary 15.41 and Theorems 16.31 and 16.41 other topics of possible interest discussed 
in this paper include a fairly general presentation of interpolation systems in 
Section [51 as well as a study of low degree (or low genus) examples in Section U] 
that clarifies and improves statements of [14]. 

Before we finish this Introduction, we would like to mention the very close 
links that exist between this domain and other areas of mathematics and theoret- 
ical computer science. One first such area is coding theory, and more precisely 
the theory of intersecting codes. The link between multiplication algorithms 
and intersecting codes was first stressed in [2] and |25] . More important, in 
|38) . Xing studied intersecting codes arising from algebraic curves, and he gave 
a criterion for their existence, that reduces essentially to the second part of 
system ^. Hence here also the 2-torsion in the class group is an obstruction 
to get optimal parameters (see [27J for elaborations on this) . This problem was 
essentially solved, or more properly, bypassed by the author in |28j with the 
method discussed above (although the analog problem for t-torsion, i > 3, is 
still open). 

Another such area is cryptography with the theory of linear secret shar- 
ing systems with multiplication property, in particular within the framework of 
secure multi-party computation |18j . In one direction, to optimize the param- 
eters of these systems, multiplication algorithms with low bilinear complexity 
are sometimes required. In the other direction, secure multi-party computa- 
tion schemes based on algebraic curves were introduced by Chen and Cramer 
in fTB], and the design of these schemes also involves a system similar to ^. 
And again, the 2-torsion in the class group is an obstruction to get optimal 
parameters [ill [T5] . It would be interesting to check how the tools introduced 
in the present work could be put to use in this context. 

Conventions. In this text we make free use of the language of modern alge- 
braic geometry: schemes, sheaves, and cohomology. Admittedly, the only place 
where this is necessary is at the end of Section [51 while designing interpolation 
systems from higher dimensional algebraic varieties, and this point is quite sec- 
ondary in our presentation. From Section [31 on, we deal only with curves, and 
everything could be equally well expressed in the language of function fields in 
one indeterminate. We made the choice to stick to the geometric point of view, 
but, keeping in mind that application oriented readers might be more familiar 



with the function field terminology, we tried to keep the level of exposition ac- 
cessible so that translation from one language to the other would remain easy. 
As standard references for these subjects we advise [22] for the general geometric 
language and [32J for the function field approach in the case of curves. 

1 Tensor rank and bilinear complexity 

Definition 1.1. Let -ftT be a field, and Eq, . . . ,Eshe finite-dimensional ii'-vector 
spaces. A non-zero element t G EQ(g) ■ ■ -(g) Eg is said to be an elementary tensor, 
or a tensor of rank 1, if it can be written in the form t — bq (E) ■ ■ ■ (E) Cg for some 
Ci G Ei. More generally, the rank of an arbitrary t G Eq (g) ■ ■ ■ (S) Eg is defined as 
the minimal length of a decomposition of i as a sum of elementary tensors. 

Definition 1.2. If 

a : £■! X • • • X ^^ — ^ ^o (8) 

is an s-linear map, the s-linear complexity of a is defined as the tensor rank of 
the element 

a e Eo (g> E^ (g) ■ ■ ■ (g> E'^ (9) 

naturally deduced from a. 

For s = 1, these notions are very well understood (they reduce essentially to 
the rank of a matrix). However, starting from s — 2, they can be surprisingly 
diflficult to handle. 

Definition 1.3. Let ^ be a finite-dimensional iiT-algebra. We denote by 

KA/K) (10) 

the bilinear complexity of the multiplication map 

m^- Ax A — > A (11) 

considered as a iiT-bilinear map. 

More concretely, fi{A/K) is the smallest integer n such that there exist linear 
forms 01, . . . , 0„ and -01, . . . , -^n : A — > K, and elements wi, . . . , Wn G A, such 
that for all x,y G A one has 

xy = (f>i{x)ipi{y)wi + ••• + (f)n{x)ipniy)wn. (12) 

Indeed, such an expression is the same thing as a decomposition 

n 

m^ = ^ Wj (g) 0j V* e A (S) A^ (S) A^ (13) 

for the multiplication tensor of A. 

Remark that here, the notion of algebra is taken in its broadest sense. How- 
ever, in Proposition 12. 4i and then from Section [3] on, we will only consider 
algebras that are associative, commutative, and with unity. 



Definition 1.4. We call multiplication algorithm of length n for A/K a col- 
lection of (j}i, ipij Wi that satisfy (|12[) . Such an algorithm is said sym^metric if 
(pi = tpi for all i (this can happen only if A is commutative). 

The study of ii{A/K), and the effective derivation of multiplication algo- 
rithms, are of both theoretical and practical importance. Pioneering works in 
this field are Karatsuba's algorithm [23j for integer and polynomial multiplica- 
tion, and Strassen's algorithm [33] for matrix multiplication. 

In practical terms, focusing on the bilinear complexity of the multiplication 
in A means according importance only to the number of two-variable multi- 
plications in K needed to perform a multiplication in A^ and considering other 
operations, such as multiplication by a constant, as having no cost. This is a rea- 
sonable assumption although its relevance clearly depends on the computation 
model. 

When A is commutative, it is sometimes convenient to favour the study 
of symmetric multiplication algorithms. Thus, as fi{A/K) is defined as the 
minimal length of a (possibly asymmetric) multiplication algorithm for A/K, 
we also introduce the following: 

Definition 1.5. If ^ is a finite-dimensional commutative ii'-algebra, we define 
its sym,metric bilinear complexity 

fi'^y^'iA/K) (14) 

as the minimal length of a symmetric multiplication algorithm for A/K . 

Equivalently, it is the minimal length of a decomposition of the multiplication 
tensor fhj^ as a sum of symmetric elementary tensors, that is, of tensors of the 
form w<»4>'S)(I)GA'E>A^(8)A^. 



Here we gather a few elementary properties of these notions. Lemma 11.61 
shows that symmetric bilinear complexity is well defined, and compares it 
with its non-symmetric counterpart. Lemma 11.91 gives basic lower bounds for 
IJl{A/ K), and Lemma 11.101 deals with some functorial properties. Certainly 
most things here are already classical and can be found from other sources. The 
reader is especially refered to the foundational work [31] (and to the additional 
material in dHl [551 [37] ) , or to textbooks such as [TU1I21J . for historical details 
and further results of this type. 

Lemma 1.6. Let A he a finite- dimensional commutative K-algebra. Then A 
admits a symmetric multiplication algorithm, hence ^''^^^{A/ K) < oo is well 
defined. More precisely, it satisfies 

fi'y'^{A/K) < ^i^±ll (15) 

where d = dim^. If char K ^ 2, then also 

fi'y"\A/K) < 2fi{A/K). (16) 

In the other direction, we always have 

KA/K) < ^'y"\A/K). (17) 
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Proof. Let ei, . . . , e^ be a basis of A, and let e^, . . . , e^ be the dual basis. First 
remark that the multiplication tensor of A can always be decomposed as m^ = 
Si A^i^j) ® e^ ® G^j 1 and since A is commutative this can be rearranged as: 

^-4= E (^'')®e^®^^+ E (e.e,)®(er®ej + ej®er). (18) 

l<i<rf l<i<j"<rf 

The first sum is already composed of symmetric tensors, and the second sum 
can also be put in such a form since 



e^- + e^- « e 



(er + ep ® {et + ep - e^ ® e^ - ej ® ej. (19) 



We plug this into the previous equality and then regroup the similar terms to 
find: 

m^= E (2ef-e.s)^er®er+ E (e.e,) (e^ + ej) ® (e^ + ej) (20) 

l<i<d l<i<j<d 

where s — X]?=i ^j- This gives (|15p . 

Now suppose chariiT ^ 2, and let Wi,4)i, 4'i define a multiplication algorithm 
of length n = fi{A/K) for A. We can then write 



rriA 



^y^^w^ (g) <j)i (g) tpt = y^^wi (g) jjj (E) <j)i 



= - E ^'^ ® ("^^ ® "0* + V'i (8) 0i) 








(21) 


1 " 

i=l 


- Wi (g) (0i - 


- A) ® (</>» - 


-V'»), 




ice ()l6ll. 










Last, 1171) is trivial. 








D 



Remark 1.7. Let K — ¥2- We can interpret (fT9|) as giving a decomposition of 
the rank two symmetric matrix J as a sum of three rank 1 symmetric 

matrices: 

For K = ¥2 it is easily seen that this decomposition is minimal. 

As a consequence, if ^ is the 2-dimensional commutative (but non-associative 
and without unity) F2-algebra with basis 61,62 and multiplication defined by 
6162 = 6261 = 61 and 6^ = 6| = 0, then 

^^iA/K) = 2 < n'^y'^A/K) = 3. (23) 

This gives an example of strict inequality in ()17|) . 



Definition 1.8. Given a multiplication algorithm as in P^ . one associates to 
it two linear codes C^ and C^ C iiT", namely the images of the evaluation maps 

(j): A — > X" il,: A — > -ftT" 

X i~^ {(j)i{x),...,(j)n{x)) y h^ {ipi{y),...,tl;n{y)) 

(24) 
respectively. 

Lemma 1.9. Let A be a finite-dimensional K -algebra. 

a) If A admits a unit element, 

lj{A/K)>dimKA. (25) 

b) If A has no zero-divisor, 

fj-iA/K) > 2 diuiK A -I. (26) 

Proof. Consider a multiplication algorithm as in IT^ . If A admits a unit el- 
ement, then wi,. . . ,Wn span A, hence the first inequality. For the second in- 
equality, remark that if A has no zero-divisor, then: 

• the maps (j) a-nd ip must be injective, hence the codes C^ and C^ have 
dimension k = dhnx A, 

• these two codes must be mutually intersecting, that is, any non-zero c S C^ 
and c' G C^ must have non-disjoint supports. 

By the first point, if fc > [n/2] , one could find a non-zero c € C^ vanishing on 
the first [n/2] coordinates, and a non-zero c' € C^ vanishing on the last [n/2] . 
These c, c' would then contradict the second point. Hence k < [n/2], which 
gives precisely ([^5]) . D 

The link between multiplication algorithms and intersecting codes was first 
stressed in [9] and |25j . For more on this last topic, see for example |23 and the 
references therein. Another coding-theoretical view on some bilinear complexity 
problems has also been proposed, through the notion of supercede, in j31j. 

Lemma 1.10. a) If A is a finite- dimensional K-algebra and L an extension 
field of K , and if we let Al = A ®k L considered as an L-algebra, then 

1^{Al/L) < iiiA/K). (27) 

b) If A is a finite- dimensional L-algebra, where L is an extension field of K , 
then A can also be considered as a K-algebra, and 

fi{A/K) < fi{A/L)fi{L/K). (28) 



c) If A and B are two finite- dimensional K -algebras, 

fi{A X B/K) < fi{A/K) + fi{B/K). (29) 

d) If A and B are two finite-dimensional K -algebras, 

^l{A ®K B/K) < fi{A/K)n{B/K). (30) 

Moreover, when the algebras are commutative, then (|27p(|28p(|29p(|30p also 
hold with fx'^y^'^ in place of fj,. 

Proof. To prove a), remark that if linear forms (pi,...,(j)n and ipi, . . . yipn : 
A — > K and elements wi , . . . , Wn € A define a multiplication algorithm for 
A/ K, then the (pi and ipi lift to linear forms Al — > L, and the Wi can be seen 
as elements oi Al, and as such they define a multiplication algorithm for Al/L 
of the same length n. 

To prove b) we use an analogue of the concatenation procedure in coding 
theory. Formally, suppose we are given: 

• a multiplication algorithm of length m for L/ K , defined by linear forms 
ai . . . , Um and /3i . . . , /3„i : L — > K and elements li, . . . ,lm & L, 

• a multiplication algorithm of length n for A/ L, defined by linear forms 
Al . . . , A„ and pi . . . , p„ : A — > L and elements ai, . . . , a„ G yl. 

Then, letting N — mn, the two collections of N linear forms (f>ij — ai o Xj and 
tpij = Pi o pj -.A — > K, and the N elements Wi,j = Uaj £ A, for 1 < i < m 
and 1 < j < "■! define a multiplication algorithm of length N for A/K. Indeed, 
for all x,y Ci A, 



a,{\j{x))P,{pj{y))k aj. (31) 



To make the connection with concatenation in coding theory clearer, remark 
that Ctf, is then the concatenated code Cq o Ca, and likewise C^ — Cp o Cp. 

The proof of c) proceeds analogously using the notion of direct sum of mul- 
tiplication algorithms. Suppose we are given: 

• a multiplication algorithm of length m for A/K, defined by linear forms 
(j)i . . . , <f)m and "01 ... , ipm '■ A — > K and elements oi, . . . , am € A, 

• a multiplication algorithm of length n for B/K , defined by linear forms 
Al . . . , A„ and pi . . . , pn : B — > K and elements hi, . . . ,bn € B. 

Identify A with the subspace A x {0} and B with the subspace {0} xBinAxB. 
Then for any x — (r, s) and y — {u, v) in A x B we have 

a;y = rM + sw= ^ (j>i{r)il;t{u)ai + ^ Xj{s)pj{v)bj (32) 

l<'i<rn If^i^^ 
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hence this defines a multiplication algorithm of length m + n ioi A x B. 

For d) we skip the details since everything works the same: suppose given 
4>i,ilJi, tti and Xj , pj , bj as in the proof of c) , then the (j)i<^ Xj , Tpi (8" Pj , a,i ® bj give 
a multiplication algorithm of length N = mn for A® B. 

For the last assertion, remark that if we start with symmetric algorithms, 
then the constructions given above lead also to symmetric algorithms. D 

Question 1.11. It would be interesting to have criteria for equality in this 
Lemma ll. 101 For the inequalities in parts a) and b) (and hence also for part d), 
there are non-trivial examples in which equality holds, and others in which the 
inequality is strict (see below, or [37]). A general rule does not seem obvious. 
Turning to c), the author does not know any example were the inequality is 
strict. In fact, the now folklore direct sum conjecture (see [Tni[311[37]) suggests 
there should always be equality: 

p{A X B/K) = p{A/K) + p{B/K). (33) 

Proofs are known only for some very specific classes of algebras. The general 
case is still open. 

Remark 1.12. We would like to indicate a few possible generalizations of the 
notions developed so forth. 

First, we worked over a field, but it is also possible to work over a ring, or 
even over a more general base. This could be of interest, for instance, if one 
is given a family of tensors that vary with some parameters, and one requests 
elementary decompositions for them that vary accordingly. 

In another direction, one could also extend the notion of symmetry. Given 
a group G acting on some tensor space, we can ask whether every G-invariant 
tensor admits a decomposition as a sum of G-invariant elementary tensors (and 
if so, what is the minimal length of such a decomposition). For G = 62 the 
symmetric group of order 2 acting on A® A^ ® A^ by permuting the last two 
factors, we saw in Lemma ll.6l that this is true (although the minimal symmetric 
decomposition might be longer than the non-symmetric one). However for more 
general group actions this is not always possible. The elegant counterexample 
that follows is due to Cascudo [12, : 

Consider the trilinear map 

F4XF4XF4 -^ F4 .3^. 

(a;,2/, z) ^ xyz 

over F2 . It defines a tensor in F4 ® F4 ® F4 $5 F4 , and since F4 is commutative, 
this tensor is ©3-invariant. where ©3 acts by permuting the last three factors. 
Suppose this tensor admits an Sa-invariant elementary decomposition. This 
means one can find elements wi, . . . ,Wn G F4, and linear forms i/ii , . . . , (/>„ : 
F4 — > F2, such that for all x,y,z £ F4, one has xyz = X]i=i 4'i{^)4'i{y)4'i{z)wi. 
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But then for all x, y G F4 one finds 



x^y 



xy 



^(j)i{xf(j>i{y) 



i=l 



^(j)i{x)(l)i{y)' 



Wt 



Wi 



(35) 



i=l 



and the two quantities on the right are equal because all a G F2 satisfy a^ = a. 
This is a contradiction since there are x, y G F4 with x'^y 7^ xy^. 

2 Interpolation systems 

If ,B is a iiT-algebra and li Ei,E2 C B are two linear subspaces, we denote by 
E1E2 the linear span of the products 6162 in B, for ei G Ei and 62 G £^2- 

Definition 2.1. Let A and A' be two finite-dimensional X-algebras. By an 
interpolation system for A' by A we mean the following data: 

• a X-algebra B (of possibly infinite dimension) equipped with two K- 
algebra morphisms / : B — > A and /' : B — > A' 

• two linear subspaces Ei, E2 <Z B 
satisfying the following conditions: 

(i) the restriction f\EiE2 • E1E2 — > A is injective 

(ii) the restrictions f'lsi ■ Ei — > A' and f'\E2 • -£"2 — > A' are surjective. 
This can be summarized with the following diagram: 

E1E2 B Ei,E2 




A A' 

Such an interpolation system is said symmetric if Ei = -B2 • 

Proposition 2.2. Let A and A' be two finite- dimensional K-algebras. Suppose 
there exists an interpolation system for A! by A. Then 



f,{A'/K) < f^{A/K). 



(36) 



Moreover, if A and A' are commutative and the interpolation system is sym- 
metric, then also ^■'y"'{A'/K) < ^■'y"'{A/K). 

Proof. Let 0i,...,0„, ^pi, . . . ,^pn '■ A — > K, and wi, . . . ,Wn G A define a 
multiplication algorithm for A/K, where n — n{A/K). 

Suppose we are given an interpolation system for A' by A. Thanks to prop- 
erties (i) and (ii) above, we can choose: 
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• a retraction p : A — > E1E2 of f\EiE2 

• sections cti : A' — > Ei of flsi and 0-2 '■ A' — > E2 of f'\E2- 
Then, for 1 < i < n, we let: 

• (/)■ = (/),; o f\E^ oai -.A' — > K 

• -0^ = Vi ° /|b2 00-2:^' — > K 

• w[^ f{p{wi)) e K. 

Then (j)[, . . . ,(j)'^, ip^, . . . ,Tp!^, and w'j^ , . . . , w^ G ^ define a multiplication al- 
gorithm for A'/K. Indeed, for any x',y' £ A', if we let x = f{ai{x')) and 
y = /(o'2(2/'))> then: 

= f'ipi^y)) 

= np{f{a,{x'))f{a2{y')))) (37) 

= /'(p(/(ai(x')a2(2/')))) 

= no,{x'))na2{y')) 
= x'y'. 

Thus /i(.4'/X) < n, as claimed. 

For the last assertion, supposing Ei ^ E2, remark that if we start with a 
symmetric algorithm for A/ K and if we choose ai = cr2, then the construction 
gives a symmetric algorithm for A! / K. D 

Corollary 2.3. If A is a finite-dimensional K -algebra, and if A' is a subalgebra 
of A, or a quotient algebra of A, then 

1^{A'/K) < fi{A/K). (38) 

If A is commutative, then also p'^^'iA'/K) < p'^'^iA/K). 

Proof. If A' is a subalgebra of A, define an interpolation system by taking 
El = E2 = B = A! , f the natural inclusion, and /' — idj^i. 

If A' is a quotient algebra of A, take Ei = E2 — B = A, f — id_4, and /' 
the natural projection. D 

The preceding corollary makes a rather trivial use of the notion of interpo- 
lation system. We will see more interesting examples, arising from algebraic 
geometry (for which we refer to standard textbooks such as [22J), as follows. 

Proposition 2.4. Let X be an algebraic variety, or more generally an arbitrary 
scheme over K , and let S and S' be two closed subschemes of X that are finite 
over K . Suppose there are two invertible sheaves Ci and C2 on X such that: 
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(i) the natural restriction map 

r(X,£i(g)£2) — ^r(I],£i®£2) (39) 

is injective 
(ii) the natural restriction maps 

r(x,A)^r(E',£i) r(x,£2)^r(S]',£2) (40) 

are surjective. 

Consider the rings A — r(S,C'5]) and A' — r(E',C's'). Then 

^^iA'/K) < ^i{A/K). (41) 

Moreover, if Ci ^ £2, then also fi^v'^iA' /K) < ^I'v^'iA/K). 

A sufficient criterion for the conditions (i) and (ii) above to hold, hence 
also for the conclusion (|4ip . can be expressed in terms of vanishing of certain 
cohomology groups as follows: 

(i') h°{X,I{Ci®C2))^0 

(ii') h^{X,I'Ci) = h\X,I'C2) = 

where X and X' are the sheaves of ideals on X defining S and T,' , respectively. 
In fact, (i) and (i ') are equivalent, while (ii ') only implies (ii) a priori. 

Proof. Remark first that S and S' are finite over K, hence affine, and the rings 
A and A' are Artinian, and as such they can be written as a finite direct product 
of local rings. Thus any invertible module over ^ or ^', or equivalently any 
invertible sheaf over E or E', is free. In particular, we can choose trivializations 

r(E,£i)~r(E,/:2)^^ r(E',£i)~r(E',/:2)^^' (42) 

and from these, deduce, for any integers Ji,i2, trivializations 

r(E,£f 1 ® £f ^) = T{^,Cif'' (g, r(E,£2)®'' ^ A (43) 

r(E',/:fi(^/:f^) = r(E',£i)«*i(^r(E',/:2)^*^ ^A'. (44) 

Consider now the bigraded algebra 

S= r{X,Cf''®Cf''). (45) 

It comes equipped with two morphisms of bigraded algebras 

s^ r(E, rfi^rf^) s — > r(E',/:fi ®£f^) (46) 
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defined by the natural restriction maps, and composing with P5|) and (|44p . and 
then taking the sum, we get 

f -.B^A f -.B^A'. (47) 

Since (|^5|l and (|33]) were defined in a compatible way from (|^^ as ii,i2 vary, 
we see that / and /' are not merely morphisms of vector spaces, they are in 
fact morphisms of algebras. Now we take 

El = 61,0 = T{X, £1) ^2 - Boa - T{X, £2) (48) 



so 



E1E2 c 61,1 = r{x, £1 ® £2) (49) 



and conditions (i) and (ii) in our hypotheses imply conditions (i) and ('iij in 
the definition of interpolation systems. We can now conclude thanks to Propo- 
sition O 

To show that (i) and (i') are equivalent, and that (W) implies (ii), use the 
long exact sequence in cohomology associated with the short exact sequence 

— ^ J£ ^ £ — ^ C\vij) -^ (50) 

with J — I ov Z', and C — Ci, £2, or £1 ® £2. D 

Remark that conditions (i) and (ii), or (i) and (ii), in Proposition l2.41 are 
very similar to conditions used to estimate the parameters (dimension, distance) 
of AG codes. Thus, borrowing techniques from this field, one could hope to get 
good interpolation systems from classes of varieties on which one knows how to 
construct good codes, for example, algebraic surfaces, or toric varieties. 

However up to now, the geometric objects that are best understood from this 
point of view, especially regarding asymptotic properties, are algebraic curves. 
Thus interpolation systems constructed from algebraic curves will be studied in 
the next section. 

But before doing that, we give an example of use of the general Proposi- 
tion [ 



Example 2.5. It is well known that Fg admits a symmetric multiplication 
algorithm of length 6 over F2. This is best shown by giving an explicit ad hoc 
description of this algorithm. It turns out that this construction admits a nice 
interpretation in terms of interpolation on the projective plane P^ over F2. 

So let X = P^, and £1 = £2 = 0(1) the universal line bundle on it. Let 
X, y, z be the standard basis of r(P^, 0(1)), that is, x,y, z are the usual projective 
coordinate functions on P^. 

Write Fg = F2[a] with c? = a 4- 1, and let S' be (the schematic image of) 
the point with homogeneous coordinates (1 : a : a^). Hence evaluation at S' 
maps the function Xx + fiy + i^z e r(P^, 0(1)) to the element X + ^a + va^ S Fg, 
so the surjectivity condition (ii) in Proposition 12.41 is satisfied (with, in fact, 
bijectivity) . 
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For E we choose the union of the six points (1 : : 0) (0 : 1 : 0) (0 : : 1) 
(1 : 1 : 0) (1 : : 1) (0 : 1 : 1), and remark that evaluation of the basis 
functions a;^, y^, z^, xy, xz, yz of r(P^, C(2)) at these six points gives a triangular 
unipotent matrix, so the injectivity condition (i) is also satisfied (with, in fact, 
bijectivity). 

This is enough to conclude the existence of the algorithm, but in fact, since 
all proofs are constructive, we can describe it explicitly. Write down the four 
evaluation maps 



/: 


r(p2,0(l))=<x,2/,z> 


-^ r(i],o(i))~(F2)6 


/': 


r(p2,o(i))=<x,2/,z> 


-^ r(s',o(i))^F8 


F : 


T{V^,0{2))^<x^,y^,z^,xy,xz,yz> - 


-^ r(E,0(2))~(F2)6 


F' : 


T{f^,o{'2))^<x^,y^,z'^,xy,xz,yz> - 


-^ r(S',0(2))~F8 



where we have just seen that /' and F are bijective. Now the proof of Proposi- 
tion 12.21 shows that multiplication in Fg decomposes as 



Fs X Fg U 



0x0 



(F^)*^ X (F2)6 ^^^^ {W^f 



(51) 



where m(E^\6 is coordinatewise multiplication, and 
F' o F~^ are given in matrix form by 



/ o (/')-! and w 



/ 1 \ 

1 

1 

1 1 
1 1 

yo 1 1/ 



1110 1 

u;= I 1 1 1 

110 10 



(52) 



relative to the basis l,a,a^ of Fg and the canonical basis of (F2)^, with column 
vector convention. 

Of course there are other ways to interpret this construction, for example, 
as interpolation on the affine space A^. However remark that this would not 
have been possible working with curves only (or at least, not in a natural way), 
because curves over F2 of sufficiently small genus do not admit enough points 
for the interpolation to be possible. 



Another situation in which Proposition 12.41 could be useful is if one is inter- 
ested in the bilinear complexity of a local algebra A' that cannot be written as 
a quotient of a polynomial algebra in only one variable. Indeed such an alge- 
bra cannot be "embedded" in a curve (see the discussion on monogenous local 
algebras below), hence requires higher-dimensional objects for interpolation. 
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3 The extended Chudnovsky-Chudnovsky algo- 
rithm 

From now on, K will be a finite field, say K = ¥q. We will only consider algebras 
that are associative, commutative, and with unity. 

In fact we will be particularly interested in the following family of Fg- 
algebras, and their bilinear complexities: 



Definition 3.1. For any integers to, Z > 1 we consider the F^-algebra of poly- 

^qm , trunca 

^,(m,/)=Fg,„[t]/(i') (53) 



nomials in one indeterminate with coefficients in Fg™, truncated at order I: 



of dimension 

dimfg Aq{m, I) — ml, (54) 

and we denote by 

^iq{m,l)^^l{Aq{m,l)/¥q) (55) 

its bilinear complexity over Fg. 

Of special significance are the following two cases: when / = 1, 

^iq{m,l) ^ Hq{m) (56) 

is the bilinear complexity of multiplication in Fgm over Fg; and when m = 1, 

Mg(l,0=Mg(0 (57) 

is the quantity used in the estimates of |14j. 
Lemma 3.2. With the notations above, 

Hq{m,l)<flq{m)Mqn,{l). (58) 

Proof. Direct consequence of Lemma ll.lOl b) . D 

Remark 3.3. As will be shown later, there are examples where this inequality 
is strict. 

We now introduce another class of Fg-algebras, before studying how they 
relate to the Aq{m, I): 

• We say that a finite-dimensional Fg-algebra A is monogenous if it can 
be written as a quotient of the ring of polynomials in one indeterminate 
over Fg, say: A ~ Fg [t]/(P(t)). These are precisely the algebras whose 
bilinear complexity was first studied in |19[ I37| . 

Moreover we say that A is local if it has only one maximal ideal. Thus, 
by the Chinese remainder theorem, a monogenous local Fg-algebra is nec- 
essarily of the form 

Ac^¥q[t]/iQity) (59) 

for some irreducible polynomial Q over Fg and some integer ^ > 1. 
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• More generally, let X be an algebraic curve over Fg (the situation discussed 
just above corresponds to the case X = P^). By a thickened point in X we 
mean any closed subscheme of X supported on a closed point (of arbitrary 
degree). For example, if Q is a closed point in X, we denote by Xq the 
sheaf of ideals defining it, and for any integer Z > 1 we let QW be the 
closed subscheme of X defined by the sheaf of ideals (IgY ■ Then Q''' is a 
thickened point supported on Q. Conversely, any thickened point in X is 
of this form. Indeed, by convention a curve X is always supposed smooth, 
hence the local ring Ox,q of X at Q is principal, and every ideal in this 
ring is of the form (ig), where tq is a local parameter at Q. 

We remark that such a thickened point is necessarily afhne, and we let 

Agin =T{Qi'\OQi,) ^TiX^Ox/ilQY) ^ Ox,Q/it^) (60) 

be its ring of regular functions. 

Lemma 3.4. Any monogenous local ¥q-algebra, and more generally the ring 
of functions of any thickened point on a curve over ¥q, is isomorphic to some 
Aq(m,l). More precisely: 



• 



Let Q be an irreducible polynomial over ¥q, of degree degQ = rn, and let 
I > 1 be an integer. Then, as ¥q-algebras, 



¥q[t]/iQ{ty)^Aqim,l). (61) 

• More generally, let X be a curve over Fg and Q a closed point in X , of 
degree degQ = m, and let I > 1 be an integer. Then, as Fq-algebras, 

AQm^Aq{m,l). (62) 

As a consequence, all these algebras have the same bilinear complexity fiq(m,l). 

Proof. This is a special case of Cohen's structure theorem for complete local 
rings in equal characteristic (see e.g. [5] AC IX. 30, §3, Th. 2). But for ease of 
the reader we recall how this works concretely in our specific situation. 

Write Aqii] — Ox,Q/{tQ), where Ox,q is the local ring of X at Q, and tq a 
local parameter. We will construct an isomorphism 

iOx,Q/tQm/{t')^Ox^Q/{t^) (63) 

hence proving the lemma, since Ox,q/{'Iq) — Fgm. 

To do so, first choose any a generating Ox,Q/{tQ) over Fg, with minimal 
polynomial Fa, and invoke Hensel's lemma to lift a to a root of Fa in Ox,Q/{tQ). 
Sending a to a then defines a morphism of Fg-algebras 

Ox,Q/itQ) -^ Ox,Q/{tl^) (64) 

section of the natural projection Ox,Q/{tQ) — > Ox,Q/{tQ), and to conclude, 
we extend ([M)) to (|63p by sending t to ig. D 
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If X is an algebraic curve over Fg , and D a divisor on X , we denote by 

L{D)=T{X,Ox{D)) (65) 

its Riemann-Roch space, and by 

1{D) = dim L{D) (66) 

the dimension (over F^) of the latter. We also choose a canonical divisor Kx 
on X and we let 

i{D) - l{Kx - D) (67) 

be the index of specialty of D. Recall that the Riemann-Roch theorem can then 
be stated as 

l{D)-i{D)^degD + l-g (68) 

where g is the genus of X . 

Theorem 3.5. Let X be a curve of genus g over ¥q, and let m, / > 1 be two 
integers. Suppose that X admits a closed point Q of degree degQ — m. Let G 
be an effective divisor on X , and write 

G = uiPi + • • • + w„P„ (69) 

where the Pi are pairwise distinct closed points, of degree degP^ = di. Suppose 
there exist two divisors Di,D2 on X such that: 

(i) The natural evaluation map 

n 

L{D, + D2)^l[Ox{D^+D2)\pi.,, (70) 

i=l 

is infective, 
(ii) The natural evaluation maps 

L{Di) -^ Ox{Di)\Qm L{D2) -^ Ox{D2)\Qm (71) 

are surjective. 
Then 

n 
t^q{m,l) <^^iq{d^,U,). (72) 

1=1 

In fact we also have fj,q{m,l) < tJ'{Y[i=i-^q{di,Ui)/¥q). Moreover, if Di = D2, 
all these inequalities also hold for the symmetric bilinear complexity /^*^™. 

Sufficient numerical criteria for the hypotheses above to hold can be given as 
follows. A sufficient condition for the existence of Q of degree m on X is that 
2g + 1 < g(™~i)/2(qi/2 _ 1)^ while sufficient conditions for (i) and (ii) are: 
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(i') The divisor Di + D2 — G is zero-dimensional: 

l{Di + D2-G)=0. (73) 

(ii') The divisors Di — IQ and D2 — IQ are non- special: 

i{Di - IQ) = i{D2 - IQ) = 0. (74) 

More precisely, (i) and (V) are equivalent, while (ii') only implies (ii) a priori. 

Proof. Use Proposition [H] with S = p|'''l U • • • U Pt"\ E' = QW, and Ci = 
Ox{Di) and £2 — Ox (02)- Combined with Lemma IX^ this gives 

n 
flq{m,l) < ^l{[[Aqid^,U,)/¥g) (75) 

i=l 

as claimed. One can then apply Lemma Fl-lOl c) to get ([7^ (whether we lose in 
passing from d75|) to ([7^ depends on the direct sum conjecture (P5)l ). 

As for the numerical sufficient condition stated here for the existence of Q, 
it can be found in [32], Cor. V.2.10.(c). D 

Remark 3.6. For applications it might be useful to make things more explicit, 
so we describe in more concrete terms how the various geometric data in Theo- 
rem [33] lead to an interpolation system as in Definition 12. f I The key point is to 
describe the evaluation maps, which can be done in relatively elementary terms 
when X is a curve. For example we describe the composite map 

L{Di)^Ox{Di)\Qin^^Agim,l). (76) 

As a first step, we choose a local parameter tg at Q. Then t^ is a local 
generator for Ox{Di) at Q, and we use this local generator to define a trivi- 
ahzation Ox{Di)\q[i] — Ox\qIi] — Ox,Q/{tQ) as asked in (|42|l . Thus we get a 
map 



L{D,) -^ Ox,Q/{tl^) 

f -^ t-J^^'"'''/ mod(t^) 



(77) 



and we compose this with the isomorphism Ox, Q/(iQ) ^^ {Ox,Q/{tQ))[t]/{t'') — 
Aq{m, I) given in Lemma 13.41 (and explicited in its proof) to conclude. 

The other maps L{D2) — > Aq{m,l) and L{Di + D2) — > YVi^i-^qi'^i^'^i) 
are described in the same way. 

A nice property of these evaluation maps, as is best seen from ()77p . is that 
they do not need the points at which we evaluate to be disjoint from the support 
of the divisor (although this is not a crucial point of the construction, since this 
situation can also be avoided thanks to the strong approximation theorem). 
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Remark 3.7. This Theorem 13.51 encompasses essentially all presently known 
variants of the Chudnovsky-Chudnovsky interpolation method as special cases. 
For example, restricting to I — 1 and Di = D2, and using Lemma [3.21 gives 
Th. 3.1 of [14J (if one further restricts to all di = Ui = 1, this gives the original 
version of Chudnovsky-Chudnovsky [T7]). Thus one can say that Theorem 13.51 
improves the method of [13] in at least two points: 

• Allowing asymmetry (Di 7^ D2) makes conditions (i) and (ii), or (i') and 
(ii'), easier to satisfy than their counterparts in [T3]; in turn this allows 
more flexibility in the choice of the curve X and the divisor G. 

• The use of fj,q{d, u) in the right-hand side of (|72|) . instead of fiq{d)AIqd (u) 
as in [13], leads to stronger estimates. Of course, for this to be useful, one 
needs upper bounds on these fiq{d, u) that are better than the one given in 
Lemma [321 But a nice feature of ([7^ is that this same quantity fiq{m, I) 
also appears in the left-hand side, so we can try to get these upper bounds 
from Theorem 13.51 itself, in a sort of recursive procedure. 



These points will be illustrated in the following three sections. 

4 Genus or 1 

The main motivation for this section is the following: 

Question 4.1. What is the actual value of iJLq{m,l) for small q,m,n Or at 
least, find upper bounds that are better than the one given in Lemma 13.21 



Answering this question can lead to improved bounds also for high values of 
the parameters. For example, suppose that in Theorem 13.51 we take I — 1 and 
the divisor G consists of: 

• A^i points of degree 1, of which li with multiplicity 2 and the remaining 
Ni ~ li with multiplicity 1 

• N2 points of degree 2, of which I2 with multiplicity 2 and the remaining 
N2 — I2 with multiplicity 1 

• iV4 points of degree 4, of which ^4 with multiplicity 2 and the remaining 
iV4 — Z4 with multiplicity 1. 

Then ^ gives 

^lq{m) < Nl+2h+m2 + ifIq{2,2)-S)l2+t^q{'i)Ni + {tlq{'i,2)--flq{'i))h. (78) 

Provided iJ.q{2, 2) < 9 or /ig(4, 2) < 3/ig(4), this improves the bound in Prop. 3.1 
of [S]. Such bounds on fiq{2, 2) or /^g(4, 2) will be given in Examples 14.41 and 14.51 
and Lemma 14.61 below. 
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Proposition 4.2. Let m,! > 1 be two integers with 

m; < I + 1. (79) 

Then 

Hq{m,l)<tiiy'^{m,l)<2ml-1. (80) 

More generally let G be an effective divisor on P^, and write 

G = UiPi +■■■+ U„Pn (81) 

where the Pi are pairwise distinct closed points, of degree degPi — di. Suppose 

n 

deg G = ^ d,u, > 2ml - 1. (82) 

1=1 

Then 

n 
t^q{m, < X! l^q{di,Ui) (83) 

i=l 

and likewise ^^^"(m, I) < J27=i A'q^™('^ii "i)- 

Proof. Remark that the first assertion is a particular case of the second, because 
if n = 2ml — 1 < q + 1, we can find n distinct points of degree 1 on P^ and 
let G be their sum. Recall also that P^ admits points of any degree, and that 
any divisor of degree —1 on P^ is both zero-dimensional and non-special. So, to 
conclude, let D be any divisor of degree ml — 1 on P^, and apply Theorem 13.51 
with Di=D2=D. D 

Recall that an elliptic curve over ¥q is a curve X of genus 1 with a chosen 
point Poo G ^O^q)- This set X{¥g) of F^-rational points oi X, or equivalently, of 
closed points of degree 1, then admits a structure of abelian group with identity 
element Poo- Also, given such an elliptic curve, there is a map 

a : Div(X) — > X{¥q) (84) 

uniquely defined by the condition that each divisor D of degree d is linearly 
equivalent to the divisor a{D) + {d— l)Poo- This map cr is a group morphism, it 
passes to linear equivalence, and induces an isomorphism of the degree class 
group C1°(X) with X(¥q). We now generalize a result of Shokrollahi f3D] and 
Chaumine [15]: 

Proposition 4.3. Let X be an elliptic curve over ¥q, with all notations as 
above. Let m,l > 1 be two integers. Suppose that X admits a closed point Q of 
degree degQ = m. Let G be an effective divisor on X, and write 

G = uiPi + ■■■+ u„P„ (85) 
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where the Pi are pairwise distinct closed points, of degree deg Pi — di, so deg G = 
YJi=idiUi. Then 

n 
flq{m, < X! t^q{di,Ui) (86) 

i=l 

provided one of the following conditions is satisfied: 

a) degG = 2ml and \X{¥q)\ > 3 

b) degG = 2ml and \X{¥q)\ > 2, and either a{G) ^ Poo or X{¥q) is not 
entirely of 2-torsion (or both) 

c) degG > 2ml + 1 and \X{¥g)\ > 2 

d) degG > 2to; + 3. 

Moreover in cases b), c), or d), one also has fi^y™(m,l) < "^"^i fJ-i^"^idi,Ui). 

Proof. Recall that a divisor of degree on X is both zero-dimensional and 
non-special, unless it is linearly equivalent to zero. 

Suppose first we're in case a), so X{¥q) ~ Cf'{X) has order at least 3. This 
implies that there are two divisors Z and Z' of degree on X that are not 
linearly equivalent nor linearly equivalent to zero. Let then Di ~ IQ + Z , and 
let 1)2 = IQ + Z or IQ + Z', depending on whether 1)1 + 1)2 -G = 21Q + 2Z-Got 
21Q + Z + Z' — G is not linearly equivalent to zero. With this choice, conditions 
(i'j and (ii') in Theorem 13.51 are satisfied, and the conclusion follows. 

Suppose now we're in case b). Suppose first that ^(F^) ~ CI (X) is not 
entirely of 2-torsion. Then there are two divisors Z and Z' of degree not 
linearly equivalent to zero, and such that 2Z and 2Z' are not linearly equivalent. 
Let then Di = D2 = IQ + Z or Di = D2 = IQ + Z' , depending on whether 
Di+ D2- G ^ 21Q + 2Z - G or 21Q + 2Z' - G is not linearly equivalent to 
zero. With this choice, conditions (i') and (ii') are satisfied again. On the other 
hand, suppose X{¥q) ~ CI {X) is entirely of 2-torsion, so that cr(G) 7^ Poo by 
our hypothesis. Let Z he a divisor of degree not linearly equivalent to zero 
(it exists since |X(F^)| > 2) and take Di = D2 = IQ + Z, so condition (ii') is 
satisfied. Then a-{Di+D2 — G) = <j{G) ^ Poo and condition (i') is also satisfied. 

Case c) works likewise: let Z he & divisor of degree not linearly equivalent 
to zero and take Di = D2 = IQ + Z, so condition (ii') is satisfied, while condition 
(i') is also satisfied for degree reasons. 

In case d), we take Di = D2 = {ml + l)Poo- Then conditions (i') and (ii') 
are satisfied for degree reasons. 

Last, remark that except perhaps in case a), we always took Di = D2 in the 
proof, so that the estimates then also work for the symmetric bilinear complexity 

Example 4.4. Proposition 14.21 gives 

^,(2,2) < 7 forg>7 (87) 
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and Proposition 14.31 gives 

fiq{2,2)<8 for q = 4 or 5. (88) 

Indeed, recall that the number of points of degree 1 on an elliptic curve X 
over ¥q can be written as |X(Fg)| = q + 1 — t for some integer t, the trace 
of X, satisfying |i| < 2y/q. Conversely, Honda- Tate theory gives additional 
sufficient and necessary conditions on t for a curve having this number of points 
to exist ([35], Th. 4.1). The trace t then also determines the number of points 
on X of any degree. For example, we have |X(F^2)| = [q + 1)^ — P^ hence 
X has i(|X(F,2)| - \X{¥g)\) ^ (g+i-OCg+t) points of degree 2 (and likewise, 

'■^'^ ' ~ — '^'^ ~ "^ — - points of degree 4, we will use it in the next example). 

Using this machinery, we see that for g = 4 or 5 there exists an elliptic 
curve over F, with eight points of degree 1 (and at least one point of degree 2) , 
so in Proposition 14.31 we can take as G all these points of degree 1, each with 
multiplicity 1. 

Unfortunately it seems difficult to improve the bound /i<j(2, 2) < 9 for g = 2 
or 3, at least with this generic method. Whether this is the exact value is yet 
unsettled. 



Example 4.5. Proposition 14 . 21 gives 

/i5(4,2)<15 forg>16 (89) 

and Proposition 14.31 gives 

/i,(4, 2) < 16 for g == 9, 11, or 13 (90) 

M8(4, 2) < 17 ^^7(4, 2) < 18 Ai5(4, 2) < 19 (91) 

M4(4, 2) < 20 Ai3(4, 2) < 23 ^2(4, 2) < 26. (92) 

The proof of these bounds follows the same lines as in the previous example. 

For q = 9, 11, or 13, there is an elliptic curve over ¥q with 16 points of 
degree 1 (and at least one point of degree 4) , so in Proposition 14.31 we can take 
as G all these points of degree 1, each with multiplicity 1. 

For q = 8 we can choose the trace t = —5, and G consists of 14 points of 
degree 1 and 1 point of degree 2, all with multiplicity 1. 

For q = 7 we choose t = —5, and G consists of 12 points of degree 1 and 2 
points of degree 2, all with multiplicity 1. 

For g = 5 we choose t = — 4, and G consists of 10 points of degree 1 and 3 
points of degree 2, all with multiplicity 1. 

For g = 4 we choose t = —3, and G consists of 8 points of degree 1 and 4 
points of degree 2, all with multiplicity 1. 

For g = 3 we choose t = — 2, and G consists of 2 points of degree 1 with 
multiplicity 1, 4 points of degree 1 with multiplicity 2, and 3 points of degree 2 
with multiplicity 1. 
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For q — 2 we choose i = —1, and G consists of 4 points of degree 1 with 
multipUcity 3, and 2 points of degree 2 with multipUcity 1. 

Remark that all these bounds already improve the one given by Lemma 13.21 
(at least given the best upper bounds on Hq{4) known up to now). However, for 
small q it is possible to do even better as follows. 

Lemma 4.6. Suppose ni is not prime, and write m — de for some integers 
d,e>2. Then 

fJ-qimJ) < Hq{d)nqd{e,l) (93) 

(and likewise fi^y™{m, I) < ii'^y™{d)fi"Y'^{e, I)). In particular: 

M3(4, 2) < /i3(2)M9(2, 2) < 21, ^2(4, 2) < ^l2{2)^i4^, 2) < 24. (94) 

Proof. Direct consequence of Lemma Fl.lOl b). noting that Aq{m, I) can be con- 
sidered as an algebra over F„d, and as such can be identified with Aqd{e,l). D 

We do not claim these new upper bounds to be optimal. Any further im- 
provement (as well as lower bounds, on the other side) would be of interest. 

Example 4.7. In [14J, section 5, Cenk and Ozbudak give upper bounds on 
^2(163) and /i3(97). However there is an error in their proof of the first, and 
the second would need a slight extra justification. 

The origin of the error is in their Th. 3.6, which, as stated, is false. Condi- 
tion (1) in this Th. 3.6 asks for the existence of a non-special divisor of degree 
n + g — 1 (instead oi g — 1 as in their Th. 3.2 or Cor. 3.5) in order for their 
evaluation map Evq to be surjective. However this condition is not sufficient, 
as illustrated as follows. 

To give an upper bound on /j,2(163), the authors of fT^ introduce the elliptic 
curve y^ + y = x^ + x + l over F2, which has only one point of degree 1, which 
means that its class group Cl° is trivial. They take a point Q of degree 163 
on this curve, and a non-special divisor D of degree 163 disjoint from Q. They 
need their map Evq : L{D) — > Oq/Q to be surjective (which the proof of their 
Th. 3.6 claims). However, this map fits in the long exact sequence 

Q^L{D-Q)^L{D)^Oq/Q~^ ... (95) 

and since D — Q has degree 0, and the curve has trivial class group, we have 
D — Q ^ Q and 1{D — Q) = 1. This means that Evq is non-injective, and since 
L{D) and Oq/Q have the same dimension (namely 163), Evq is non-surjective 
as well. 

To fix this error, we can use our Proposition 14.31 instead. We use the same 
curve as in |14| . but since this curve has only one point of degree 1, we need 
case d) of the proposition, and the divisor G has to be modified accordingly: 
we take the only point of degree 1 with multiplicity 5, and then we take all 2 
points of degree 2, all 4 points of degree 3, all 5 points of degree 4, all 8 points of 
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degree 5, all 8 points of degree 6, all 25 points of degree 8, all with multiplicity 
1. Then G has degree 

degG=l-5 + 2-2 + 4-3 + 5-4 + 8-5 + 8-6 + 25-8==329 = 2-163 + 3 (96) 

and Proposition 14. 3l d) gives 

M2(163) < M2(l, 5) + 2^i2{2)+A^i2{3) + 5^2(4)+ 

+ 8/^2(5) + 8//2(6) + 25Ai2(8) < 910. 

See [13], Table 1, for the numerical details. Remark they give the upper bound 
^2(7) < 22, with the quotient 22/7 being the highest among similar estimates 
up to degree 8. This is why we didn't use points of degree 7 in our G, and 
explains why our upper bound 910 is better than the upper bound 916 in |14| . 
despite our G having higher degree. This said, perhaps further optimizations of 
this sort are possible. 

Concerning the upper bound /Lt3(97) < 426, Cenk and Ozbudak use the curve 
y'^ = x^ + x"^ + 2x + I over F3. This curve has 3 points of degree 1, hence its 
CI is non-trivial, so the error in Condition (1) of their Th. 3.6 is not harmful. 
However for their upper bound to be fully justified they also need to explain 
why their application is injective, which they do not. But here again we can 
use Proposition 14.31 (case a) instead, with the same curve and the same divisor 
G as theirs. This gives the same bound IJ,3{97) < 426, without needing any 
extra justification. 

5 Fixing some bounds of Ballet 

For any curve X over F^, we denote by Bd{X/¥q) the number of closed points 
of degree d on X, so that, for all n, 

|X(F,„)|=^dB,(X/F,). (98) 

d\n 



We now want to apply Theorem 13.51 with curves of higher genus, as well 
as give easy verifiable criteria for the existence of divisors Di , D2 satisfying 
conditions (i) and (ii), or (i') and (ii'J, in this theorem. For example, we can 
do so as these conditions be satisfied for degree reasons: 

Proposition 5.1. Let X be a curve of genus g over ¥q, and let ni,l > I be two 
integers. 

Suppose that X admits a closed point Q of degree deg Q = ni (a sufficient 
condition for this is 2g + I < g(™-i)/2(gi/2 _ i)j_ 

Suppose also that X admits a non-special divisor S , of degree g + e — I, for 
an integer e as small as possible (hence e < g by the Riemann-Roch theorem). 

Consider now a collection of integers nd,u > (for d,u > 1), such that 
almost all of them are zero, and that for any d, 



rid 



Y.nd,u<Bd{Xl¥q). (99) 
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Then, provided 



we have 



and likewise 



d,u 



Y^ nd,udu > 2ml + 2e + 2g - 1 (100) 

U, 

fJ.q{m, < X! ^d.,ufJ'q{d, U) (101) 



sym 



, {m,l) <Y,nd,uy^'r\d,u). (102) 

d,u 

Proof. For 1 < i < Ud^u choose a point Pd,u,j of degree d in X, such that 
Pd,u,3 ^ Pd,u',j' if {u,j) ^ {u',j'). This is possible by (jM]). Let then G = 
J2d,u J2i<j<na.u '^^d,uj, SO that dcg G = J2d,u nd,udu. Let also D = Di = D2 ^ 
S+IQ, so D~IQ is non-special, and 2D — G has negative degree by (|100p . Hence 
conditions (i ') and ('ii ') in Theorem 13.51 are satisfied and we can conclude. D 

In order to use this proposition one needs good upper bounds on e. For 
results of this type, see for example [3] or j6]. In many cases it is possible to 
take e = 0. However under some mild hypothesis on g or X, it is possible to 
do substantially better, namely we can gain an additional constant g in (jlOOp . 
For this to be possible, one needs to replace the degree argument in the proof 
with a finer method ensuring that conditions (i ') and (ii ') are still satisfied for 
some divisors Di , D2 of appropriate degree. Having allowed asymmetry in our 
interpolation system will make this easier. In fact we will give two different 
methods achieving this. The first one will show the existence of Di,D2 using 
a cardinality argument. The second one will be more constructive, and works 
also in a symmetric setting, although only under more restrictive conditions. 

Theorem 5.2. Let X be a curve of genus g over ¥q, and let m,l > 1 be two 
integers. 

Suppose that X admits a closed point Q of degree deg Q — m (a sufficient 
condition for this is 2g + 1 < g(™-i)/2(gi/2 _ i)j. 

Consider now a collection of integers Ud.u > (for d,u > 1), such that 
almost all of them are zero, and that for any d, 

nd = ^rid,„<Bd(X/Fg). (103) 

U 

Ynd,udu>2ml + g-l. (104) 



Suppose also 

Then: 

a) If q > 5, we have 



d,u 



fJ-qim, I) <Y nd^uti-q{d, u). (105) 
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b) If\X(¥g)\ > 2g, we have 

t^qim, < X! "^d.ufJ-qid, U). (106) 

Moreover, suppose X and Q are given explicitly, that 2g + 1 points of degree 
1 on X are given explicitly, and, for any d, that Ud points of degree d on 
X are given explicitly. Suppose also that for each d, u such that n^^u > 0, 
we are given explicitly a multiplication algorithm of length Z^.m for Aq{d,u). 
Then, after at most 3g^ computations of Riemann-Roch spaces on X , we 
can construct explicitly a multiplication algorithm of length ^^ ^ rid^uld,u for 
Aq{m,l). 

c) If |-'^(Fg)| > 5g, we have 

l^r'im, 1)<J2 ^d^ul^r'id, u). (107) 

d,u 

Moreover, suppose X and Q are given explicitly, that 5g + 1 points of degree 
1 on X are given explicitly, and, for any d, that n^ points of degree d on X 
are given explicitly. Suppose also that for each d, u such that Ud.u > 0, we 
are given explicitly a symmetric multiplication algorithm of length Id.u for 
Aq{d,u). Then, after at most 5g^ computations of Riemann-Roch spaces on 
X, we can construct explicitly a symmetric multiplication algorithm of length 
J2d,u ''T'd.Jd.u for Aq{m, I). 

Proof. For 1 < J < Ud^u choose a point Pd,u,j of degree d in X, such that 
Pd,u,j 7^ Pd,u',j' if {u,j) y^ iv! ,j'). This is possible by (|99l) (moreover, in cases b) 
and c), these Pd,u,j are chosen among the n^ points of degree d given exphcitly). 
Let then G = J2d,u J2i<3<,i^ „ '^Pd,u.j, so that degG = Y.d,u nd,udu. 

Proof of case a). We suppose g > 5, and we can also suppose g > 2, otherwise 
the conclusion follows from the results of the previous section. Let h = \ Cl"(X)| 
be the class number of X. Then we also have h — \ CV'{X)\ for any integer i, 
where CV{X) is the set of linear equivalence classes of divisors of degree i on 
X. Let also 

CU{X) c CV{X) (108) 

be the set of linear equivalence classes of effective divisors of degree i on X, or 
equivalently, the set of linear equivalence classes of divisors D of degree i on X 
such that 1{D) > 0. We then recall from [5S], eq. (6), that if Ai is the number 
of effective divisors on X, then 

A,_i + 2 y: g(«— 1)/2 A, < 7375^ (109) 

hence for any i < g ~ 1 

-^^VJXM < 4,- < 



^a-i+^Z^q ^<S / i/2„n2 

i=0 ^^ ' 



\C\UX)\<A,< ,/^_ <^ (110) 
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(see also [T], Lemma 2.1, and [5], Th. 3.3). We now let 

t = ml + g-l (HI) 

and we claim that we can find divisors Di, D2 of degree t such that: 

{i') Di + D2 — G is zero-dimensional 

{ii'i) Di — IQ is non-special 

(M2) D2 — IQ is non-special. 

Indeed, {ii[) means that the linear equivalence class [Di — IQ] is not in Cl^g {X), 
or equivalently, 

[D,]^C\l^\X) + [lQ]. (112) 

But since translation by [IQ] puts CF~ (X) in bijection with C1*(X), applying 
(|110p shows the translate Cl^ff (X) + [IQ] cannot cover all C1*(X), hence we 
can find Z?i as wished. Now, this Di being fixed, {i') and (M2) together mean 

[D2] ^ iC\li7<^''^''iX) + [G^D^]) U iC\^^^\x) + [lQ]), (113) 

where 2i — deg G < g— 1 by (|104p . But again (jllOp shows that the union of these 
translates has cardinality less than h/2 + h/2, and we can find D2 as wished. 
All this done we can now apply Theorem 13.51 and conclude. 



Proof of case b). Suppose we are given a set S = {Pq, Pi, . . . , P2g} oi 2g + 1 
points of degree 1 on X. As in case a), all we need is to construct divisors Di,D2 
of degree t satisfying (/), {ii[), {ii'2), and apply Theorem l3.5l to conclude. From 
|28j . Lemma 6, we recall the following: 

If A is a divisor on X with deg A < 5 — 2 and 1{A) = 0, there are , , 
at most g points P G X{¥g) such that 1{A + P) > 0. ^ ' 

For — l<i<g — Iwe construct a divisor Yi on X of degree ml + i such that 
l{Yi — IQ) = iteratively as follows: 

• Start with y_i = {ml — l)Po, so l{Y^i — IQ) = for degree reasons. 

• Suppose up to some i < g — 1 we have found Yi such that l{Yi — IQ) — 
as wished. Then by ([TO)) there exists P eS such that l{Yi + P- IQ) = 0. 
We put r,+i =Y, + P. 

• This ends when i = g — 1. 

We can then put Di — ^g-i, so that (ii'i) is satisfied. 

Now for — 1 < « < g — 1 we construct a divisor Zi on X of degree ml + i such 
that l{Zi — IQ) = and l{Di + Zi — G) = iteratively as follows: 

• Start with Z_i = {ml~l)Po, sol{Z_i-lQ) = and /(Di + Z_i - G) =0 
for degree reasons (via hypothesis (|104p for the second). 
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• Suppose up to some i < g ~ 1 we have found Zi such that l{Zi — IQ) = 
and l{Di + Zi — G) ^ as wished. We claim there is a point P G S such 
that 1{Z, + P-lQ)^0 and l{Di + Z, + P-G) = 0. Indeed by pii)) the 
first can fail at most g times, and likewise the second can fail at most g 
times. We then put Zi^i = Zi + P. 

• This ends when i = g — 1. 

We can then put D2 = ^g-i, so that (i') and (1*2) are satisfied, and we're done. 

Proof of case c). Suppose we are given a set T — {Pq, Pi, ... , Psg} of 5.g + 1 
points of degree 1 on X. From [28J, Lemma 9, we recall the following: 

If A is a divisor on X with AegA < 5 — 3 and 1{A) = 0, there are , , 
at most Ag points P G X{¥g) such that 1{A + 2P) >0. ^ ' 

Then for —l<i<g—lwe construct a divisor Ti on X of degree ml + i such 
that 1{T, ~IQ) ^0 and 1{2T, - G) = iteratively as follows: 

• Start with T_i = (ml - l)Po, so /(r_i - IQ) = and /(2r_i - G) = for 
degree reasons (via hypothesis (|104l) for the second). 

• Suppose up to some i < g — 1 we have found Ti such that l(Ti — IQ) = 
and l{2Ti — G) = as wished. We claim there is a point P G T such that 
1{T, + P-IQ)=0 and 1{2T, + 2P - G) = 0. Indeed by ([TTi|) the first can 
fail at most g times, and by (|115p the second can fail at most Ag times. 
We then put T.+i ^T, + P. 

• This ends when i = g — 1. 

We can then put Di = D2 = Pg-i and conclude by Theorem 13.51 again. D 



Remark 5.3. As explained in the Introduction, this Theorem l5.2l fixes an error 
in an article of Ballet. More precisely, if we take / = 1, and we choose all nd,u 
equal to zero except for tt-i 1, then case a) of Theorem l5.2l gives statement (1) in 
Th. 2.1 of p] as a special case; and likewise if we choose all nd,u equal to zero 
except for ni^i and n.2,1, we get its statement (2). 

Remark that our proof of case a) is structurally the same as Ballet's. The 
only difference is that we allowed the asymmetry Di ^ D2, so Di and D2 
could be constructed one at a time, and in establishing (|112l) and (|113p we only 
had to consider translations [D] 1— >■ [D] — [A] which put C\*{X) in bijection 
with Cl*~ '^^ (X). On the other hand Ballet had to consider a map of the 
form [D] 1—^ 2[D] — [G] which might be non-injective. The error in Ballet's [1], 
Prop. 2.1. is that he did not take the possible kernel of this multiplication-by-2 
map (that is, the 2-torsion in the class group) into account. As explained in the 
Introduction, this error was in fact borrowed from |31j , and was first spotted by 
Cascudo-Cramer-Xing (see [11], Chapter 12). 

Remark also that case c) of Theorem 15.21 gives another way of fixing this 
error, while keeping symmetry. A drawback is that the condition X(¥q) > 5g 
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in case c) imposes serious restrictions on the curves to be used, hence for some 
values of q, it does not lead to interesting bounds. 

So, for applications, case a) is often more suitable, and indeed it allows us 
to fix the proof of further bounds of Ballet that were jeopardized by the error 
in his Th. 2.1: 

Corollary 5.4. Let p be a prime number and q = p^ a power of p, with q > 5. 
Then for all integer n > 1 we have 

3(1 + ^) ^fr^l 
l^^{n)<\2[l + ^) tfr^2 (116) 



3(l + ^j ifr>3odd. 

Proof. Use Theorem 15 .21 instead of Th. 2.1 of [1], in the proof of the correspond- 
ing cases of Th. 3.1 of [IJ and Th. 2.1 and 2.2 of [2]. 

More precisely. Theorem 15.21 with I = 1, m = n, ni.i = Bi{X/¥q), and 
the other nd,u = 0, replaces Th. 2.1.(1) of [J. While Theorem [Ol with I = 1, 
m = n, ni^i = Bi{X/¥q), 712.1 = B2{X/¥q), and the other Ud^u — 0, replaces 
Th. 2.1.(2)' of [T]. ' D 

Remark 5.5. There is a case of Th. 3.1 of ^j that we didn't include in our 
Corollary. Namely, Th. 3.1 of [T] claims that the bound ^/ig(«) < 2 ( 1 + 7=^ ) 
holds for all r even, not only for r — 2. The reason for this omission is that there 
is another error in the proof of this Th. 3.1 of Ballet, apart from the oversight 
of the 2-torsion already mentioned. 

Indeed in his proof Ballet considers two consecutive prime numbers h and 
I2 determined by n and he claims that he can apply his Prop. 3.1.(2) to this ^2- 
However this Prop. 3.1.(2) only states that there exists a prime number I for 
which its conclusion holds, not that it holds for all prime numbers. Looking 
more closely at the proof, we see it works for primes I for which certain points 
split completely in a certain morphism of curves, which in turn can be translated 
as the primes I lying in a certain arithmetic progression. However there is no 
reason that I2 should be in this arithmetic progression, except in the case r — 2 
where it is trivial. 

On the other hand, it is easy to see that this bound, and even a slightly 
stronger one, holds at least asymptotically (if not for all n), as will be seen with 
our fix of the Shparlinski-Tsfasman-Vladut bound below. 

To end this section, we want to show how the condition g > 5 in Theo- 
rem [F21 a) can be relaxed, at the cost of only weakening condition (I104p by a 
small absolute constant, independent of 5. For this we will use a generalization 
of (jllOp . that might also be seen as a variant of [6], Th. 3.3 and Cor. 3.4. 

Lemma 5.6. Let X be a curve of genus g > 2 over ¥q, of class number h, and 
for any integer i let At be the number of effective divisors of degree i on X. 
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A, 


-3 + Aj 


>h 


A,- 


-2 + Ay 


>h 


A,- 


1 + Aj„ 


>h 



Define an integer Cq as follows: 

'2 lfq^2 

1 i/g = 3,4,5 (117) 

ifq>5. 

Then there is an integer e with < e < Cq such that 

Ag^e^i+Aj<h (118) 

for all j < g + 2e — Scq — 1 . 

Proof. We first consider the case q = 2. If g = 2, take e = Cg = 2, so (|118p is 
satisfied since Aj = for j < 0. Now suppose g > 3, and write (|109p in the 
form 

Ag^i + 2V2Ag^2 + 4A3_3 + • • • + 2(^2)9-^0 < (3 + 2V2)h. (119) 

We proceed by contradiction and suppose that the lemma is false. This means 
that the following three inequalities hold: 

for some j < g — 3 (120) 

for some / < .g — 5 (121) 

for some j" <g-7. (122) 

We multiply ^20]) by 2, p2T|) by 2\/2, and sum with (fT22l) . to get: 

Ag-i + 2V2Ag-2 + 2Ag-3 + 2Aj + 2V2Aj> + Ay, > (3 + 2V2)h. (123) 

Comparing coefficients (and discussing whether j = 5 — 3 or j < 5 — 4, and 
whether j,j',j" are all distinct or some of them are equal) we see that the left- 
hand side of (|123|) is less than or equal to the left-hand side of (I119p . To get a 
contradiction, it suffices to prove that the inequality is strict. 

If ff > 4, the coefficient oi Aq — 1 in (|123p is strictly less than in (|119p . so 
the inequality is strict indeed. 

Last, if g = 3, the only way to have equality is to have j = g — 3 = 0, 
with equahty also in (|120p . p2ip . and (|122p . But from this and Aq = I we 
deduce h = 2 = Ai = A2- However Ai = 2 means there are two points Pi, P2 of 
degree 1 on X, and considering the divisors 2Pi, 2P2, Pi + P2, we find A2 > 3, 
a contradiction. 

The case q = 3 works the same. Write (|109p as 

Ag_i -I- 2V3Ag_2 + 6Ag_3 + • • • + 2(%/3)9-Mo < (1 + V3/2)h < 2h. (124) 

If the lemma were false, one could find j < g — 2 with Ag^2 + Aj > h, and 
j' < g — 4: with Ag^i + Aji > h. Summing these two inequalities would then 
contradict p^ . 

To finish the proof, for g = 4 or 5, remark that p09p implies Ai < h/2 for 
i < g — 2, so we can take e = Cq — 1. And for q > 5 we find Ai < h/2 for 
i < g — 1, so e = Eg = works, as claimed. D 
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Proposition 5.7. Let X be a curve of genus g > 2 over ¥q, where q > 2 is any 
prime power, and let m,l > 1 be two integers. 

Suppose that X admits a closed point Q of degree deg Q — m (a sufficient 
condition for this is 2g + 1 < q(™-i)/2(gi/2 _ i)j_ 

Let Cq be defined as in the previous lemma (remark Cq < 2 in any case). 

Consider now a collection of integers rid.u > (for d,u > \), such that 
almost all of them are zero, and that for any d, 



Then, provided 



have 



nd = Y.''d,u<BdiX/¥q). (125) 

u 

y Ud^udu > 2ml + Scq + g — 1, (126) 



d,u 



y-q 



(m, < X! "^d.ut^qid, u). (127) 



d,u 



Proof. We argue essentially as in the prool of Theorem 15. 21 a) with only a few 
minor changes. From the collection of integers rid.u we first construct a divisor 
G, of degree degG = J2d u ''^d,udu, as before. For any integer i we let 

Cll^iX) c Cr(X) (128) 

be the set of linear equivalence classes of special divisors on X, hence by the 
Riemann-Roch theorem Cl*p(X) = [Kx] ~ C1^|^^^*(X), so 

I C\l^iX)\ = I C\lf'~\X)\ < A2,_2^„ (129) 

and by Lemma 15.61 there is an e with < e < Cq and 

I Clfp+^-^X)! < I C\ig{X)\ + I Clfp+^-i(X)| < A, + A,_,_i < h (130) 

for all j < g + 2e — Scg — 1. 
Then letting 

t^ml + e + g-l (131) 

and using (|130p instead of (jllOp , we can first find a divisor Di of degree t such 
that 

[D^]^Cl!+'^-\X) + [lQ], (132) 

ensuring {ii'^) as in the proof of Theorem l5. 21 a). and then, a divisor D2 of degree 
t such that 

[D,] ^ (Cl,^^-'^^s«(X) + [G - A]) U iC\l+^-\X) + [IQ]), (133) 

(remark 2i — deg G < g + 2e — 3e^ — 1 by (I126p ). ensuring (i') and (112), and we 
conclude as before. D 
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Remark 5.8. Many results in this part, concerning "uniform" upper bounds, 
can still be improved or generalized, in various directions, for example: 



• Following Ballet's proof, the case r = 2 in Corollary 15.41 uses modular 
curves of prime genus, and then relies on Bertrand's postulate (proved by 
Chebyshev) for these primes. It is possible to refine both parts of this 
argument (allow non-prime values for the genus, and get a finer control 
on the gaps between these values), leading to sharper bounds in this case. 

• Theorem 15.21 (and Proposition 15.71) can also be combined with descent 
arguments, such as those used in [S], to derive better bounds than the 
ones in Corollary 15.41 when q is not a square. 



All these improvements or generalizations require quite long technical discus- 
sions and are somehow independent of the main ideas presented in this paper, 
so they will be treated elsewhere. 

6 Fixing the Shparlinski-Tsfasman-Vladut asymp- 
totic upper bound 

The Shparlinski-Tsfasman-Vladut upper bound ^31i concerns the asymptotic 
quantities defined below. As explained earlier in the text, there was a gap in 
their proof, which our methods allow to fill (with two independent arguments). 

Definition 6.1. If (7 is a prime power, we let 

m„ = liminf — /i„(n) 

"^°° \ (134) 

Mq — limsup —^q{n) 

n— >-oo ri 

and their symmetric counterparts tti^^™ and Af^^™ are defined likewise. 

Definition 6.2. We let A{q) be the largest real number such that there exists 
a family of curves Xs over Fg , of genus gs going to infinity, with 

,^\I,m^Aiq). (135) 



Theorem 6.3. If A{q) > I, then 



Wg < 2 ( 1 + -jj-^ ] . (136) 



Aiq) 1 
Moreover, if A{q) > 5, then also m^«" < 2 f 1 + Alq)-i ) 
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Proof. Consider a family of curves Xg over Fg, of genus Qs going to infinity, with 

linr M^ . Ai,). (137) 

s->oo g^ 

Given an integer s, let 

1 



n{s) 
hence by (IT?f)) 



2(|X,(F,)|-5,-5) 



(138) 



lim!^ = ^4^. (139) 

Then for s large enough we have 2gs + 1 < g("(*)^i)/2((jfi/2 _ i) and we can 
apply Proposition 15.71 with / = 1 and m — n{s), and with all Ud^u zero except 
ni^i = 2n(s) + gs + 5, to get 

fiq{n{s))<2n{s)+gs + 5, (140) 

which allows to conclude. 

If A{q) > 5, then |X<;(Fg)| > 5gs for s large enough, and we can use Theo- 
rem [5^c) to conclude likewise. D 

Theorem 6.4. If q ^ p^^ >9 is a square, then 

Af,<2(l + ^). (141) 

Moreover, if q ^ p^r > 49^ ^^g^ ^^^^ j^jsym < 2 ^l + 1 

Proof. Consider the Shimura curves described in [31j, pp. 163-166. They form 
a family of curves Xs over Fg , of genus gs going to infinity, with 

hm^ilM.^.l (142) 

s-i-oo gs 

and 

lini ^Iti = 1. (143) 

Given an integer n, let s{n) be the smallest integer such that 

|^s(„)(Fg)|>2n + g,(„)-l, (144) 

hence by (|T42l) and (|T43l) . 

2n 
5s(n) = ^_^ + o(n). (145) 
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This then gives 2gs(^n) + 1 < f?*-" ^^/^(g^/^ — 1) for n large enough, and we can 
apply Theorem 15. 21 a) with I ~ 1 and m = n, and with all n^^u zero except 
ni,i = 2n + g3(„) - 1, to get 

Mg(n)<2n + 5,(„) -1. (146) 

This holds for all n large enough, hence dividing by n and using (|145|) again 
allows to conclude. 

If g > 49, then we can use Theoreni l5.2l c') instead, and conclude likewise. D 

Remark 6.5. As noted in |5j, we also immediately get from Corollary 1 5 . 41 the 
bounds Mp < 3 (l + ^] for p prime, and Af, < 3 fl + ■^'] for g = p'', r > 3 
odd. 

Remark 6.6. Prop. 4.1 of [31] also discusses some constructiveness issues, 
which we can improve here. Suppose that g > 9 is a square, and that for some 
increasing sequence of integers n, we are given explicitly a curve Xn of genus 

2n 
5„ = ^-^+oH, (147) 

together with a point Q of degree n on Xn, and a set S of points of degree 1 on 
Xn, such that 

|S'|>2n + 5„-l (148) 

(this is possible, for example, with the curves in [20]). Then in the preceding 
proof we can use Theorem 15.21 b') instead of Theorem 15.21 a'). which leads to a 
polynomial time (in n) construction of a multiplication algorithm for Fg^/F^, 

of length 2n ( 1 + J_^ 1 + o{n) (moreover if g > 49, we can use Theorem l5.2l c) 

to make the algorithm symmetric). This is better than Prop. 4.1 of [Slj which, 

under the same hypothesis, gives an algorithm of length 2n ( 1 H — ■^s—^ j + o{n). 

Remark 6.7. Here we studied the asymptotics of ^q{n) = pLq{n, 1). We could 
do the same thing for Mq{n) = fj,q{l,n), or more generally for fj,q{m,l) when 
both m and / vary. 

Note that the parameters m and / appear at two places in Theorem 15.21 (or 
likewise in Proposition 15. 7p : 

• First, m appears alone when one asks that the curve X should admit a 
point Q of degree m. 

• Then m and I appear together through the product ml ~ dim ^^ (to, I) in 
condition (|104p . 

Since the curves in the proofs of Theorems 16.31 and 16.41 all admit at least one 
point of degree 1, we see that the asymptotic estimates given there for fJ.q{n) 
also hold for Mq{n): 

liminf-M„(n) < 2 f 1 + -— 4 ) ioi A(q) > I (149) 

ri^oo n \ A(q) — lJ 
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limsup —Mq{n) < 2 ( 1 H — — - ) for q > 9 a square (150) 



1 — . . , . /. 1 

(and likewise for their symmetric counterparts). 

The same techniques also give asymptotic upper bounds for 



—fj.q{m,l). (151) 

However in order to ensure that the curves admit a point of degree to, we will 
rely on the sufficient condition 2g + I < q(™~i)/2(gi/2 _ i)^ and since in the 
proofs we will have curves of genus g growing linearly with n ~ ml (see (|139p 
or (|145p ). these upper bounds will be valid only in a domain in which m grows 
at least logarithmically with ml. 



Question 6.8. The condition A{q) > 5 in the last statement of Theorem 
(and likewise g > 49 in Theorem l6.4p might appear strange. A natural question 
is whether the estimate should be valid under the condition A{q) > 1 also in 
the symmetric case. In fact this condition A(q) > 5 can be relaxed very slightly, 
as shown in [25]. However, to relax it further to A{q) > 1 would require much 
deeper results, such as the conjectures proposed in P7J on the existence of curves 
having many points but few 2-torsion in their class group. 

This also leads to the following question: do m^™ — m,, or M^^™ = Mg, 
or more generally /i^y™(77i, I) = iJ.q{m,, I) for all q, to,, 11 Of course this should be 
put in contrast with the example in Remark 1 1.71 
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